Visa has observed an increase in network intrusions involving service providers, re-breaches of merchant payment environments and skimming incidents involving Point of Sale (POS) device overlays. Visa is issuing this alert to make Members and entities aware of their obligations to investigate and immediately report all data compromise events.

Visa understands the challenges faced by merchants when it comes to staying on top of account information changes. Outdated credential-on-file information can lead to declined transaction and cardholder inconvenience. Increase authorization approvals and reduce customer service issues and expense with Visa Account Updater (VAU). VAU offers two solutions that solve this problem; VAU and Real Time VAU.

Instances in which a transaction is initiated with a stored credential, based on a cardholder’s consent for future use, has increased to significant levels. Identifying transactions made with stored credentials allows for differentiated treatment through the authorization approval process. This results in greater visibility of transaction risk levels for issuers, higher authorization approval rates and completed sales, an enhanced cardholder experience, and the participation in Real Time Visa Account Updater Service. The information provided in this guide allows all stakeholders to comply with the mandatory requirements and take advantage of the benefits of the Stored Credential Transaction framework.

In February 2017, analysts identified a new technique used with JavaScript-based eCommerce malware that enables the malware to re-infect the website automatically upon incomplete removal. Visa is providing this report in order to alert eCommerce merchants to this malware technique, and to provide detection and mitigation methods if this malware is discovered.

Today, cardholders have real-time, 24/7 access to their online banking through smartphone and other device apps. Purchase information is quickly updated to a cardholder’s account, however, a similar flow of information does not exist on purchase returns. Visa’s new return authorization messages will enable issuers to update cardholders’ online banking statements in real time and provide text alerts to those cardholders that opt in to the service with their issuer. This new service will improve customer experience, reduce inquiries related to lack of real-time information, provide real-time issuer account validation, and minimize related chargebacks.

The information contained in the Visa Payment Acceptance Best Practices for U.S. Quick-Service Restaurants guide is geared toward the actions and decisions most pertinent to quick-service restaurants and operators in the U.S. It also includes best practices and on-the-job support tools for managers and employees.

Visa has been working with merchants, acquirers, and fuel-industry providers to support migration to the more secure EMV technology. The EMV liability shift is designed to better protect all parties. With the new rules, the party that is the cause of a chip transaction not occurring, either the issuer or acquirer, will be held financially responsible for any resulting card-present counterfeit fraud losses. However, due to challenges with EMV Automated Fuel Dispensers (AFD) solution readiness, Visa is delaying the U.S. domestic AFD EMV liability shift date to 1 October 2020.

Webinar deck highlights tools and resources that are available to clients and merchants to mitigate risks when selecting a service provider partner. Additional highlights include Third Party Agent Risk Program initiatives, including unregistered agent campaigns and multiple tool enhancements.

Multiple information security firms have reported on the emerging threat of a new malware variant identified as “Flokibot.” While Flokibot attacks have focused on the LAC region to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise and suggested mitigation activities to protect the payments ecosystem.

It is always a great opportunity to set goals and make plans to achieve them. While motivation is at an all-time high, consider taking the following actions to help secure the payments ecosystem at the merchant level.

Download this comprehensive manual for all businesses that accept Visa transactions in the card-present and/or card-absent environment. This guide provides the latest information and best practices to help merchants process Visa transactions, understand Visa products and rules and protect cardholder data while minimizing the risk of loss from fraud.

As the US market migrates to EMV chip, the fraud threat from criminals placing skimming devices on, or in, attended and unattended point-of–sale (POS) devices for the purpose of collecting payment card information, including PIN numbers, increases. Perpetrators use skimmed payment information to quickly create counterfeit cards re-encoded with the stolen card information typically resulting in ATM withdrawals. To help clients combat skimming, Visa is providing guidance on recommended inspection and response actions. This data security alert may be disseminated to all payment system stakeholders.

Visa provides a Partial Authorization service that provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. This flyer provides information about the benefits realized, how to use the service, and answers to frequently asked questions.

Chip card technology in the U.S. has created new challenges for committing fraud at the physical point of sale. Data compromises continue to occur, with fraud migrating online and into other card-not-present channels. As a result, some merchants may experience an increase in chargebacks and transaction declines, cutting into their profitability. In this webinar, learn about current fraud trends and strategies to mitigate fraud in e-commerce. Visa shares common flags for card-not-present fraud and methods for managing and resolving transaction disputes.

Global eCommerce sales are expected to double from 2015 to 2019. While growth in this sales channel creates great opportunities for merchants, it also has the ability to attract high levels of fraud activity. With the holiday season fast approaching, merchants should understand how to best protect against Card Not Present Fraud.

Recognizing the signs of a cyber-attack can make the difference between falling victim to a Point-of-Sale compromise and stopping a breach in progress or preventing one altogether. Through research and intelligence gathered from payment data breach investigations, Visa identified many common tactics, attack characteristics and malware types across breaches in every merchant vertical. Learn some of the new developments in Point-of-Sale network attacks and gain insights into data exfiltration methods as well as how to spot the common warning signs of a breach within the payment environment. Knowing the attacker’s tactics and tools goes a long way in building better defenses.

With steady progress and growth of EMV since October 1, 2015, there are now more than 1.46 million chip-enabled businesses and 363 million chip-enabled Visa cards, making the U.S. the largest Visa chip card market in the world. The number of Visa chip transactions surpassed half a billion in the month of August, representing a 1,000+ percent annual increase. As we reach the one-year anniversary of the EMV liability shift, many questions remain regarding the process behind the migration and the advancements made in the past year. This session discussed why the U.S. moved to EMV, the progress the industry and Visa has made in the past year, analyze early results and updates on further enhancements, such as Visa Quick Chip.

Visa has seen an increase in global ATM cash-out fraud, which can extract millions of dollars from financial institutions in a short time. The key to limiting losses is quick detection and decisive action, carefully coordinated with Visa. ATM cash-out fraud can happen at any time, anywhere in the world. It often affects issuers in one country and acquirers in another. To help clients combat this global and sophisticated type of fraud, Visa is providing guidance and best practices.

In late August 2016, Visa became aware of a recent ATM malware compromise in SoutheastAsia and is providing indicators of compromise (IOCs) in order to enable security and incident response teams of financial institutions and ATM manufacturers to check and secure network environments. While these IOCs are specifically associated with an investigation involving ATMs in the Southeast Asia incident, Visa notes that the methods employed by the criminals in this incident represent a broader criminal threat to ATM manufacturers/models worldwide and their deployers.

Visa previously published a technical analysis on malware, including filenames, malware hashes, and criminal methodology involved in a separate ATM Jackpotting incident in the Asia-Pacific region. While there are similarities between the two events, this notification serves to highlight key differentiators –including malware and methodologies - pertaining to the incident in Southeast Asia.

Mobile purchases increased to nearly one in five online orders and generated about $69.1 billion during the most recent holiday season. As mobile payments grow, fraud risks increase. Knowing the differences between eCommerce and mCommerce fraud is a critical first step in protecting merchants. Visa and CyberSource experts explain how a process-based approach can help clients detect and control mobile fraud.

On Monday, 8 August 2016, Oracle Security informed Oracle MICROS customers that it had detected malicious code in certain legacy MICROS systems. Oracle is currently investigating the compromise, and as of 12 August 2016, the company has not published details about the cause/s.Visa is issuing this alert to provide indicators of compromise (IOCs) associated with cybercrime threats known to have previously targeted Oracle systems.

The PCI Security Standards Council convened a small merchant business taskforce to provide guidance and feedback to prepare resources that simplify data security for some of the most vulnerable businesses preyed upon by cybercriminals. Relying on cross-industry expertise to help small merchants understand why and how to protect payment card data and resolve risks to their businesses the taskforce has developed a toolkit to aid this effort.

Visa highlights the ATM “Jackpotting” incidents in the attached data security alert. This publication provides information regarding indicators of compromise (IOCs) as well as recommendations for response.

This flyer provides clarification of the rules which detail how a merchant should identify the proper location for all transactions processed through the Visa system. Providing the proper information helps prevent unnecessary cardholder disputes and reduces additional risk to the Visa system.

Magento is a popular open-source, e-commerce platform written in PHP. Several critical and high vulnerabilities were discovered and patched on the Magento platform in January 2016. Merchants who have not deployed security patch SUPEE-7405, as required by PCI standards, are vulnerable to remote exploits that can compromise account data. Document shares a description and impact of Magento and provides detection and mitigation steps.

In March 2016, the PoSeidon (point-of-sale) PoS malware was modified with the incorporation of a persistence monitoring capability. PoSeidon malware now actively monitors the PoS system processes in order to maintain the infection and malware functionality. If the malware is removed from the system, the monitor process waits two (2) minutes and re-infects the system. Document provides an overview of the threat and risk description and best practices to mitigate against PoSeidon.

In response to a rise in incidents in which skimming devices were placed on POS terminals to collect payment card information, Visa shares typical skimming events that affect self-checkout terminals and the ways in which perpetrators carry out these attacks and how merchants can identify and properly manage these incidents.

Visa provides an Account Number Verification (ANV) Service that assists merchants in verifying if an account is in good standing. This flyer provides information about the service and gives various scenarios for real-life application.

The Payment Card Industry Security Standards Council (PCI SSC) has published version 3.2 of the PCI DSS, which provides a baseline of technical and operational requirements designed to protect cardholder data. The bulletin includes key updates, effective dates for implementation and additional resources.

The Payment Card Industry Standards Security Council (PCI SSC) which is responsible for defining the technical and operation standards for the protection of payment card data will release an update to the PCI Data Security Standard (PCI DSS) in late April 2016. Visa’s representatives on the PCI SSC will provide information on what to expect with Version 3.2, review the key changes associated with this release and outline dates and impacts to Visa compliance programs.

Following Visa’s requirements for processing a refund will help keep your customers informed and reduce the number of questions you may receive as the result of a return. This flyer describes best practices in processing a refund to a cardholder’s account.

Many merchants are creating an omni-channel experience for their customers that provides convenient, seamless and secure delivery across all of their channels, including in-store, eCommerce, telephone, mobile web, and mobile app. This flyer describes the omni-channel experience depending on the payment and delivery option selected by the customer.

Visa Claims Resolution, a new global initiative will replace Visa’s existing dispute resolution process. VCR will simplify dispute processing by migrating from a litigation-based approach to a liability-assignment-based approach. This flyer describes the new process, consolidation of reason codes, and merchant benefits.

Visa and a guest speaker from FireEye explain how financially motivated attackers are targeting customer data and the payment ecosystem. The session dived into security vulnerabilities and techniques hackers use to steal customer information, including payment card data. Visa subject matter experts also provide valuable cyberthreat indicators, risk mitigation strategies and practical guidance on how to detect these threats and secure systems from attack.

Visa provides an overview of the risks third parties may introduce into the payment ecosystem and recent program updates and mandates (including small merchant and use of Qualified Integrators and Resellers). Additionally, highlights tools and resources available to issuers, acquirers and merchants when selecting service provider partners.

Visa highlights “Kuhook” Point-of-Sale (POS) malware, a variant from the “ModPOS” malware family. This point of sale malware, “Kuhook”, is one of the most sophisticated and difficult to detect payment card stealing malware identified. Visa experts and Mandiant highlight the malware capabilities, indicators of compromise and mitigation steps.

Updates to the small merchant data security requirements for U.S. and Canada acquirers. These requirements involve the use of Qualified Integrators and Resellers (QIRs) and required PCI DSS validation. This document includes Frequently Asked Questions about the data security requirements.

Visa has identified multiple malware families targeted the lodging industry, including casinos and resorts. To name a few, “FindPOS” (or “Poseidon”), “FrameworkPOS”, and “rawpos” are confirmed in several Visa investigations, suggesting the industry continues to be attractive to attackers interested in payment card data. This publication provides information on each malware family along with security best practices to mitigate this threat.

Lists qualification criterial for custom payment service rates available to retail merchants in the electronic commerce space. Also provides information about key Visa products for validating the identity of cardholders.

Visa has identified a variation of malware (from the ModPOS malware family) targeting Point-of-Sale (POS) systems designed to run on Microsoft Windows. Codenamed “Kuhook,” the malware utilizes keylogger and memory scraping/parsing functionality. The malware is a sophisticated set of kernel mode device drivers written for the Windows XP platform and is compressed to make the source code and data unreadable.

Visa and CyberSource experts explore CNP risk methodologies to optimize the consumer experience and reduce false declines while minimizing fraud losses. Additionally, Visa tools such as CVV2, AVS, Verified by Visa – among others – were covered in great detail as well as CyberSource’s Decision Manager

Requirements for U.S. and Canada acquirers to ensure that their small merchants take steps to secure their point-of-sale (POS) environment. Merchants must use Qualified Integrators and Resellers (QIRs) and Level 4 merchants must validate PCI DSS compliance.

Valuable information for small merchants, including franchisees, highlighting the importance of protecting their customer's cardholder data, explaining the Payment Card Industry (PCI) Data Security Standards (DSS), and providing tools, solutions and strategies to use to help mitigate the risk of fraud and data breaches.

Visa analyzes the underlying causes of recurring breaches and the downsides to "check the box" cyber incident response. Breach preparedness and incident response best practices are provided to help respond to a breach the right way.

Microsoft will no longer support or issue security fixes for Windows Server 2003 after July 14, 2015. This poses a greater risk to the data security of a company utilizing Windows Server 2003. Furthermore, as of July 15, 2015 companies using this software may no longer be in compliance with Payment Card Industry Data Security Standard (PCI DSS).

Visa reviews how flat networks or networks without adequate network segmentation make it easy for an attacker to pivot and traverse the network after it has gained entry. Properly segmenting the network can greatly reduce PCI scope, controls, and costs. Also provided are recommendations, benefits and principles of network segmentation, and how to best defend against network threats and vulnerabilities.